By Peter Harris
Protecting the consumer
“It’s not that I’m deliberately trying to shock people all the time. I’m just doing things that are obvious to me. It’s because the public doesn’t understand my way of thinking that they get surprised.” These are the words of Livedoor’s infamous CEO Takafumi Horie, spoken during a CNN interview back in November 2005. Although there is a fair case to be made that compared to other Japanese scandal-tainted business people such as Murakami, Horie was no worse, clearly Japanese consumers need more protection from ‘surprises’ in the future. As a result of Enron in the US and a series of scandals in Japan—such as Kanebo, Seibu Railways, Nikko, Murakami—Japan has introduced its own version of the US Sarbanes-Oxley Act, commonly known as J-SOX. Bureaucrats and businesses were prompted to take action as the cumulative result of such scandals has been to create a nervousness among Japanese savers concerning investment. With over US$12 trillion sitting in personal savings, Japan has reason to want to inspire confidence and increase the investment activities of Japanese consumers.
The actual legislation is made up of a number of different laws including the complex Financial Instruments and Exchange Law that will come into force from April 2008. Under the provisions of the law, all listed companies operating in Japan will be subject to much stricter compliance standards including the requirement to report earnings on a quarterly basis in accordance with their internal controls framework.
Thus, the stakeholders involved in J-SOX implementation are numerous: the government, all manner of businesses, financial institutions and of course, the Japanese consumer. An extraordinary amount of training and preparation is called for. On the legal side, getting to grips with over 1,000 pages of the new laws will be a strenuous task. Accountants will have to understand not only the law but also its practical implications in terms of auditing procedure, while banks and businesses will need to make sure that they have budgeted personnel and resources to take care of the changes.
Many will be looking to IT companies to provide J-SOX solutions along the lines of the software that has developed since the SOX legislation was implemented in the US. Peter Godwin, a senior partner at Herbert Smith in Tokyo explained that although “there will be a lot of pain involved in adapting to the legislation…obviously getting decent software in will help.”
What’s the difference?
Sarbanes-Oxley came into force in the US in 2002 and there are a number of equivalent pieces of legislation in different countries for example, the Loi sur la Sécurité Financière in France or the Turnbull in the UK. However, each law has its own nuances and differences in terms of enforcement. In many of these countries, SOX takes the form of what is essentially a series of guidelines, however in Japan, as in the US, there could be hefty fines and possibly even custodial sentences meted out to those who fail to comply.
Unlike the US SOX, J-SOX includes an extra IT compliance component that deals not only with the reporting of financial data but also with the whole range of corporate security. This may mean, for example, that use of USB devices will need tighter controls and regulation of usage. Companies such as Control Solutions and Protiviti are doing well out of advising companies what steps they need to take and of the differences between the US and Japanese versions of the legislation. Control Solutions Chairman Simon Dealy explained to us that, in their consultancy capacity, they advise companies to get ready for J-SOX by implementing appropriate software to manage their compliance obligations. The cubes (below) show that J-SOX involves a greater emphasis on the safeguarding of assets as well as an extra layer encompassing response to IT.
Additionally, the commercial environment and the compliance procedures are different. OpenPages MD for Asia Pacific, Derek Titterington, explained to us that “in Japan, management actually have to issue a report stating that they have strong internal controls, and then the auditor will examine this, and express an opinion about the report. In the US however, the external auditors would carry out an examination and make their own report.” This is an interesting point for a number reasons. For one, it means that compliance in Japan is not as costly— having the auditors in, going through the books, is a logistical headache and can also put a freeze on operations. The downside though is that it means that in Japan the CEO has to be more involved; to sign off on a report that claims to have compliant controls in place will require going through even the smallest details of corporate governance, from operational risks to accounting procedures.
Titterington explains that J-SOX will take what can be seen as top-down, risk-based approach—first auditors determine what is in scope and then investigate. When the legislation was first enacted in the US, it was on a bottom-up basis—first the data was checked and then the risks were identified—this was changed two years ago because it was deemed to be an unnecessarily convoluted and time consuming process. Having looked at the experience of the US, Japan will be adopting this top-down approach which should make auditing procedures relatively fast and efficient. While the desire to cut time and costs is a reason for the Japanese preference for this approach, it may also be related to the fact that Japan has a much smaller number of CPAs than in other countries—an estimated 17,000 compared with roughly 330,000 in the US and 130,000 in the UK. Training and recruitment will also prove both a challenge and an opportunity for adaptation to J-SOX compliance.
After Enron and the implementation of SOX in the US, a handful of companies realized that there was a demand for software that made it easy for managers and CEOs to see exactly what was going on inside their organization and be able to produce the required reports and guarantees in accordance with the new legislation.
OpenPages, founded in 1996, had been working in the field of document management. However, in 2000 their new CEO, Michael Duffy, recognized the company’s potential to provide a platform that could help top level executives conform to the stipulations of the new regulations. Duffy’s vision was to prove highly profitable as OpenPages quickly became well known among major global corporations, such as Symantec and Lloyds TSB, as a firm that could help them adjust to the emergent compliance environment. In 2006 they were ranked by Inc magazine’s 500 list as the 22nd fastest growing company in the US and as the fastest in the software category—based on a growth figure of 2,033%.
In Japan, as in other markets where similar legislation has been put in place, one of the biggest headaches for top executives is visibility.
And with J-SOX coming in next year, OpenPages are preparing for more rapid growth, and possibly an IPO, in the future. In order to set up, oversee and manage operations here, Derek Titterington moved to Tokyo last year. Titterington argues that in Japan, as in other markets where similar legislation has been put in place, one of the biggest headaches for top executives is visibility—they need to know what is going on not just under their noses but also in their offices worldwide and across departments. In an interview for Compliance Week magazine, Shinji Hatta, widely considered to be the principal author of J-SOX legislation, emphasized that the regulations have been designed with exactly this result in mind, “We want executives to create something that will work for them…We want them to take charge and be able to explain their company’s actions. They need to be well versed in their internal control systems and be accountable.”
Titterington explained that the OpenPages platform is a solution that is designed to help senior management meet this requirement. “Normally organizations start looking at their controls by gathering data in Word documents, Excel spreadsheets or Visio flowcharts. However, when it comes to getting a good grasp of the state of controls in the Singapore or Berlin office, more sophisticated software in necessary.” With the OpenPages platform, this becomes possible. Further, it is an automated platform which means the work does not have to be redone every year, it is constantly monitored and the data is visible. The system is continuously updated and can provide email and homepage alerts for key tasks as well as automating initial sub-certifications for managers that are then ‘rolled up’ for managerial approval at different levels of the business. This essentially takes care of the management of internal checks and procedures. “In a multinational organization such as ours, managing internal controls can be a significant challenge,” said Don Eldred, Director of Group Internal Control at BP. “Our investment in OpenPages FCM gives our organization added confidence to ensure that we are not only appropriately complying with our financial reporting responsibilities, but are also helping to reduce the time and resource costs associated with sustaining compliance.”
But it is not just new auditing regulations that require monitoring and control. Titterington described that SOX and J-SOX are increasingly being seen as just one of many areas to cover under the general umbrella of governance, risk and compliance (GRC). Within this, corporations must look beyond their financial controls and pay attention to IT compliance, general compliance and all kinds of operational risk as well. To an extent, J-SOX will affect all of these areas but, at the mercy of an infinite number of factors beyond their control, from seismic movements to bureaucratic whims, corporations are expected to factor in every eventuality if they are to prove their reliability to both consumers and shareholders.
Moreover, there is a financial incentive for giving evidence of quality internal controls. A bank for example, if it can demonstrate compliance with the BASEL II regulations, can free up reserves with which it can execute on growth strategies. Titterington recalls one such OpenPages client that was able to free up approximately 5% of its reserves, which given the number of zeros of the total sum, was an amount opening up a lot of possibilities. The software can also save on other fronts for example, a platform such as that offered by OpenPages can save an estimated 40% on reporting costs and 25% on costs relating to certification.
Because of the flexibility of the OpenPages platform, it is easily transferable for dealing with operational risk or any other GRC issues. Being a configured solution it is able to cope with sudden environmental or legal changes. In other words, say a company has a defined entity structure but then after two years there is an acquisition, a hard-coded customized software solution is difficult to adapt. Configured solutions are more flexible and thus suitable for longer term GRC strategies.
Ultimately, corporations are increasingly looking to IT to help them manage their internal controls. It is likely that as J-SOX comes into effect next year, even more managers and CEOs will understand the value of software in managing their internal controls. It is around this time that companies like OpenPages are looking forward to an influx of frantic enquiries. JI
OpenPages Japan KK
Shiroyama Trust Tower
Minato-Ku, Tokyo 105-6016
Tel : +81-3- 5403 4740
Fax : +81-3- 5403 4646
J@pan Inc Magazine, Nov/Dec 2007